JP2018132823A - Policy setting device, policy setting method and policy setting program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce impact on business operations due to addition of a security policy.SOLUTION: A policy setting device 10 extracts a communication partner address 13a which is an object of restricting communication, from analyte electronic mails 13 of electronic mails addressed to a user. The policy setting device 10 calculates a frequency index value indicating a frequency of communications that used the communication partner address 13a, referring to a communication history 14 indicating the communications conducted in the past. The policy setting device 10 includes a rule 15a for restricting the communication using the communication partner address 13a, and creates a security policy 15 set in such a manner that a valid period 15b becomes shorter, or a number of apparatuses 15c to be applied is reduced, as the frequency indicated by the frequency index value is larger.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a policy setting device, a policy setting method, and a policy setting program.

  As one of information security attacks (targeted attacks) aimed at stealing secret information possessed by a specific organization, there is a targeted email attack using electronic mail. In the targeted email attack, the attacker sends an unauthorized email pretending to be an email related to normal business to the target organization. An illegal e-mail may be attached with an illegal file including a computer virus, pretending to be a file related to business. An unauthorized e-mail may include a hyperlink to an unauthorized website that transmits a computer virus while pretending to be a business website.

  When a user who receives an unauthorized e-mail opens an attachment, a computer in the organization may be infected with a computer virus. In addition, when a user who receives an unauthorized e-mail follows a hyperlink and accesses a Web site, a computer in the organization may be infected with a computer virus. Infecting a computer virus may cause confidential information inside the organization to leak outside the organization.

  Various information security products may be used to reduce the threat of such targeted email attacks. For example, some information security products monitor e-mails received from outside the organization, and determine e-mails including specific source mail addresses and specific source mail server addresses as fraudulent e-mails. Information security products restrict user operations such as browsing and opening attached files for unauthorized e-mails. Also, for example, certain information security products monitor access to a Web server outside the organization, and restrict access by specifying a specific Web site address.

  An information filtering apparatus that removes and outputs information that is harmful to the user from received information has been proposed. The proposed information filtering apparatus collects behavior information indicating the user's behavior and determines the importance of the received information based on the behavior information. The information filtering apparatus removes information determined to be harmful and less important.

JP 2006-209379 A

  While the addresses used by attackers may change, targeted email attacks using similar addresses are often repeated in the short term. Therefore, when a user in the organization receives an e-mail suspected of being a targeted e-mail attack, a method can be considered in which the e-mail is provided as a sample e-mail from the user to the system management department to improve the information security of the entire organization. It is done. The system management department considers the address outside the organization included in the provided sample email as a cautionary address, and generates a security policy that restricts communication using a cautionary address or a similar address. It is done. The generated security policy is dynamically incorporated into various information security products.

  However, the sample mail provided by the user may include a legitimate electronic mail that the user has erroneously determined to be a target mail attack. Further, even if an address is an address used by an attacker, an address similar to the address may be a legitimate address used for business. Therefore, if the security policy generated based on the sample email provided by the user is simply applied, excessive defense that restricts legitimate communication may occur, and the normal business of the organization may be hindered. There is.

  In one aspect, an object of the present invention is to provide a policy setting device, a policy setting method, and a policy setting program that can reduce the influence on business due to the addition of a security policy.

  In one aspect, a policy setting device having a storage unit and a processing unit is provided. The storage unit stores one or more sample e-mails out of e-mails addressed to the user, and a communication history indicating communication of the user or other users performed in the past. The processing unit extracts a communication partner address targeted for communication restriction from the sample e-mail. The processing unit calculates a frequency index value indicating the frequency of communication using the communication partner address with reference to the communication history. The processing unit includes a rule that restricts communication using the communication partner address, and generates a security policy that is set such that the effective period is shortened or the application target device is decreased as the frequency indicated by the frequency index value increases.

  In one aspect, a policy setting method executed by a computer is provided. In one aspect, a policy setting program to be executed by a computer is provided.

  In one aspect, the impact on business due to the addition of a security policy can be reduced.

It is a figure which shows the example of the policy setting apparatus of 1st Embodiment. It is a figure which shows the example of the information processing system of 2nd Embodiment. It is a block diagram which shows the hardware example of a management server. It is a block diagram which shows the function example of a user terminal and a management server. It is a figure which shows the example of a log table. It is a figure which shows the example of a report log | history table. It is a figure which shows the example of a parameter table. It is a figure which shows the example of a policy determination table. It is a figure which shows the example of policy data. It is a flowchart which shows the example of a procedure of policy production | generation.

Hereinafter, the present embodiment will be described with reference to the drawings.
[First Embodiment]
A first embodiment will be described.

FIG. 1 is a diagram illustrating an example of a policy setting device according to the first embodiment.
The policy setting device 10 according to the first embodiment is a computer used to protect an information processing system from a targeted mail attack. The policy setting device 10 may be a client computer or a server computer. The policy setting device 10 dynamically generates a security policy to be applied to the security product. The security policy may indicate that communication using a specific communication partner address is restricted.

  The policy setting device 10 includes a storage unit 11 and a processing unit 12. The storage unit 11 is a volatile storage device such as a RAM (Random Access Memory) or a nonvolatile storage device such as an HDD (Hard Disk Drive) or a flash memory. The processing unit 12 is, for example, a processor such as a CPU (Central Processing Unit) or a DSP (Digital Signal Processor). However, the processing unit 12 may include an electronic circuit for a specific application such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA). The processor executes a program stored in a memory such as a RAM. For example, the processor executes a policy setting program. A set of processors may be referred to as “multiprocessor” or simply “processor”.

The storage unit 11 stores the sample electronic mail 13 and the communication history 14. The storage unit 11 stores a security policy 15 generated by the processing unit 12 as will be described later.
The sample email 13 is an email addressed to the user received from outside the organization to which the user belongs. There may be two or more specimen emails. The sample e-mail 13 is provided as a sample from, for example, the user at the destination. For example, the sample e-mail 13 is an e-mail received by a terminal device used by the user and determined to be a target mail attack by the user. However, there is a possibility that the sample electronic mail 13 is a legitimate electronic mail erroneously determined to be a target mail attack.

  The communication history 14 is a history of communication performed in the past. The communication history 14 may include a history of communication performed by the terminal device of the user who provided the sample electronic mail 13. In addition, the communication history 14 may include a history of communication performed by a terminal device of another user who belongs to the same organization as the user who provided the sample email 13. The communication history 14 includes, for example, an e-mail reception history, an e-mail transmission history, a website access history, and the like.

  The e-mail reception history includes, for example, a sender mail address, a part of the sender mail address (such as a domain name), a sender mail server address, or a part of the sender mail server address (such as a domain name). . The e-mail transmission history includes, for example, a destination e-mail address or a part thereof (such as a domain name). The access history of the Web site includes, for example, an access destination Web site address (URL (Uniform Resource Locator) or the like) or a part thereof (domain name or the like).

  The security policy 15 is setting information applied to an electronic device capable of restricting communication such as transmission / reception of electronic mail and access to a website. The policy setting device 10 distributes the generated security policy 15 to appropriate electronic devices in the organization. For example, the security policy 15 may indicate that browsing of an electronic mail including a specific address as a transmission source address and opening of an attached file are prohibited. Such a security policy 15 may be distributed to a terminal device or a mail server used by the user. Further, for example, the security policy 15 may indicate that access to a website including a specific address in the URL is prohibited. Such a security policy 15 may be distributed to a terminal device or a proxy server used by the user.

  In the security policy 15, an effective period 15b and an application target device 15c may be set. The validity period 15b is a period during which the security policy 15 is valid, and the security policy 15 is invalid outside this range. The valid period 15b can be specified by the start time, the end time, the number of valid days, and the like. The security policy 15 may include information on the validity period 15b. The application target device 15c is an electronic device to which the security policy 15 is applied, and the security policy 15 is not applied to other electronic devices. The application target device 15c can be specified by an organization department name, a user name, a type of electronic device, or the like. The security policy 15 may include information on the application target device 15c.

  The processing unit 12 extracts a communication partner address 13 a targeted for communication restriction from the sample email 13. The communication partner address 13 a is an address used outside the organization to which the user belongs, and is described in a location other than the destination email address of the sample email 13. For example, the communication partner address 13a is the sender mail address described in the header, a part of the sender mail address (domain name, etc.), the sender mail server address, or a part of the sender mail server address (domain name, etc.). It is. Further, for example, the communication partner address 13a is a Web site address (such as a URL) described as a link destination in the text or a part thereof (such as a domain name).

  The processing unit 12 refers to the communication history 14 and calculates a frequency index value indicating the frequency of communication using the communication partner address 13a. For example, the processing unit 12 calculates a frequency index value from the transmission frequency (such as the number of transmissions within a certain period) of an electronic mail that includes the communication partner address 13a in the destination mail address. Further, for example, the processing unit 12 calculates a frequency index value from the reception frequency (such as the number of receptions within a certain period) of an electronic mail that includes the communication partner address 13a in the transmission source mail address or the transmission source mail server address. Further, for example, the processing unit 12 calculates a frequency index value from the access frequency (such as the number of accesses within a certain period) to a Web site that includes the communication partner address 13a in the Web site address. It can be said that this frequency index value represents the degree of influence on business when communication using the communication partner address 13a is restricted.

  The processing unit 12 generates a security policy 15 including a rule 15a indicating that communication using the communication partner address 13a is restricted. At this time, the processing unit 12 sets at least one of the valid period 15b and the application target device 15c for the security policy 15 based on the frequency index value. Regarding the effective period 15b, the processing unit 12 sets the effective period 15b to be shorter as the frequency indicated by the frequency index value is larger (the influence degree is larger), and as the frequency indicated by the frequency index value is smaller (the influence degree). The effective period 15b is set to be longer as the value is smaller. For the application target device 15c, the processing unit 12 sets the application target device 15c to decrease as the frequency indicated by the frequency index value increases, and increases the application target device 15c as the frequency indicated by the frequency index value decreases. Set to. For example, the number of target devices 15c can be reduced by limiting the types of departments, users, and electronic devices to which the security policy 15 is applied.

  According to the policy setting device 10 of the first embodiment, when the communication partner address 13a included in the sample electronic mail 13 provided by the user is the restriction target address, past communication using the communication partner address 13a is performed. The frequency is calculated. Then, the effective period 15b is set to be shorter as the past communication frequency is larger, or the application target device 15c is set to be smaller as the past communication frequency is larger. Thereby, the excessive defense by adding the security policy 15 which shows restrict | limiting the communication using the communicating party address 13a is suppressed, and the influence that a legitimate business is inhibited can be reduced.

  For example, when the sample email 13 is a legitimate email that is erroneously determined to be a targeted email attack, it is unlikely that another sample email that is the same as or similar to the sample email 13 will be provided later. . Therefore, if the validity period 15b is limited, it is expected that the security policy 15 is invalidated early without the validity period 15b being updated. On the other hand, when the sample email 13 is intended for a targeted email attack, there is a high possibility that another sample email that is the same as or similar to the sample email 13 will be provided later. Therefore, it is expected that the effective period 15b is extended and the security policy 15 is continuously applied.

  Further, for example, by limiting the application target device 15c, it is possible to suspend the application of the security policy 15 to a specific department that has a relatively large impact on the business and to try the security policy 15 in another department. It becomes possible. It is conceivable that the security policy 15 is applied to such a specific department after another sample email that is the same as or similar to the sample email 13 is provided later. That is, when the sample email 13 is a legitimate email that is erroneously determined to be a target email attack, the security policy 15 is not applied to a specific department that has a relatively large impact on the business. Be expected.

[Second Embodiment]
Next, a second embodiment will be described.
FIG. 2 is a diagram illustrating an example of an information processing system according to the second embodiment.

  The information processing system according to the second embodiment includes a management server 100, user terminals 200, 200a, 200b, and an administrator terminal 200c. The management server 100, user terminals 200, 200a, 200b, and the administrator terminal 200c are devices used in the same organization. The management server 100, user terminals 200, 200a, 200b, and the administrator terminal 200c are connected to a network 30 that is a local network.

  The management server 100 is a server computer that supports security measures for the user terminals 200, 200a, and 200b. The management server 100 protects the user terminals 200, 200a, and 200b from a targeted email attack that illegally obtains confidential organization information using electronic mail. The management server 100 collects an email (suspicious email) suspected of being a targeted email attack from the user terminals 200, 200a, 200b as a sample email.

  In response to an instruction from the administrator terminal 200c, the management server 100 generates a security policy (sometimes simply referred to as “policy”) using the collected sample mail. The policy includes a rule for determining whether the received email is a dangerous email related to a targeted email attack. Further, the policy includes a rule for determining whether an access destination website is a dangerous website related to a targeted mail attack. The management server 100 distributes the policy to the user terminals 200, 200a, 200b.

  The user terminals 200, 200a, 200b are client computers used by users belonging to an organization. The user terminals 200, 200a, and 200b may receive an e-mail transmitted from outside the organization in response to a user operation. At this time, the user terminals 200, 200a, and 200b determine whether the received electronic mail is a dangerous electronic mail based on the policy distributed from the management server 100, and restrict the browsing of the dangerous electronic mail. In addition, when the user determines that the received e-mail is an e-mail intended for a targeted e-mail attack, the user terminals 200, 200a, and 200b use the received e-mail as a sample e-mail according to the user's operation. This is provided to the management server 100.

  In addition, the user terminals 200, 200a, and 200b may access websites outside the organization in response to user operations. At this time, the user terminals 200, 200a, and 200b determine whether the access destination website is a dangerous website based on the policy distributed from the management server 100 and restrict access to the dangerous website. . Dangerous Web site access may occur when a user selects a hyperlink described in an email intended for targeted email attacks.

  The administrator terminal 200c is a client computer used by an administrator who manages the information processing system of the organization. The administrator terminal 200c accesses the management server 100 according to the operation of the administrator, and instructs the management server 100 to generate a policy and distribute the policy to the user terminals 200, 200a, and 200b. In the process of generating a policy from the collected sample mail, when an administrator's judgment (for example, narrowing down a suspicious mail) is required, the administrator appropriately sends an instruction to the management server 100 through the administrator terminal 200c.

FIG. 3 is a block diagram illustrating a hardware example of the management server.
The management server 100 includes a CPU 101, a RAM 102, an HDD 103, an image signal processing unit 104, an input signal processing unit 105, a medium reader 106, and a communication interface 107. The unit is connected to the bus. The user terminals 200, 200a, 200b and the administrator terminal 200c can also be implemented using the same hardware as the management server 100.

  The CPU 101 is a processor including an arithmetic circuit that executes program instructions. The CPU 101 loads at least a part of the program and data stored in the HDD 103 into the RAM 102 and executes the program. The CPU 101 may include a plurality of processor cores, the management server 100 may include a plurality of processors, and the following processing may be executed in parallel using a plurality of processors or processor cores. A set of processors may be referred to as “multiprocessor” or simply “processor”.

  The RAM 102 is a volatile semiconductor memory that temporarily stores programs executed by the CPU 101 and data used by the CPU 101 for calculations. Note that the management server 100 may include a type of memory other than the RAM, or may include a plurality of memories.

  The HDD 103 is a non-volatile storage device that stores an OS (Operating System), software programs such as middleware and application software, and data. The program includes a policy setting program. The management server 100 may include other types of storage devices such as flash memory and SSD (Solid State Drive), and may include a plurality of nonvolatile storage devices.

  The image signal processing unit 104 outputs an image to the display 41 connected to the management server 100 in accordance with a command from the CPU 101. As the display 41, any kind of display such as a CRT (Cathode Ray Tube) display, a liquid crystal display (LCD), a plasma display, an organic EL (OEL: Organic Electro-Luminescence) display, or the like can be used.

  The input signal processing unit 105 acquires an input signal from the input device 42 connected to the management server 100 and outputs it to the CPU 101. As the input device 42, a mouse, a touch panel, a touch pad, a pointing device such as a trackball, a keyboard, a remote controller, a button switch, or the like can be used. A plurality of types of input devices may be connected to the management server 100.

  The medium reader 106 is a reading device that reads programs and data recorded on the recording medium 43. As the recording medium 43, for example, a magnetic disk, an optical disk, a magneto-optical disk (MO), a semiconductor memory, or the like can be used. Magnetic disks include flexible disks (FD: Flexible Disk) and HDDs. The optical disc includes a CD (Compact Disc) and a DVD (Digital Versatile Disc).

  For example, the medium reader 106 copies a program or data read from the recording medium 43 to another recording medium such as the RAM 102 or the HDD 103. The read program is executed by the CPU 101, for example. The recording medium 43 may be a portable recording medium and may be used for distributing programs and data. In addition, the recording medium 43 and the HDD 103 may be referred to as computer-readable recording media.

  The communication interface 107 is an interface that is connected to the network 30 and communicates with other nodes via the network 30. The communication interface 107 is a wired communication interface connected to a communication device such as a switch by a cable, for example. However, a wireless communication interface connected to the base station via a wireless link may be used.

FIG. 4 is a block diagram illustrating exemplary functions of the user terminal and the management server.
The user terminal 200 includes a policy storage unit 211, an action log storage unit 212, a mailer 221, a Web browser 222, a mail checker 223, a Web access checker 224, and a shared information providing unit 225. The policy storage unit 211 and the action log storage unit 212 are implemented using, for example, a storage area secured in the RAM or HDD. The mailer 221, the Web browser 222, the mail checker 223, the Web access checker 224, and the shared information providing unit 225 are implemented using a program, for example. The user terminals 200a and 200b also have the same block configuration as the user terminal 200.

  The policy storage unit 211 stores policy data received from the management server 100. The policy data stored in the policy storage unit 211 includes policy data for filtering email received from outside the organization and policy data for filtering access to websites outside the organization. In the former policy data, rules indicating the characteristics of unauthorized e-mail are described. In the latter policy data, a rule indicating the characteristics of the website address of an unauthorized website is described.

  The action log storage unit 212 stores an action log indicating a history of communication performed by the user terminal 200. The action log stored by the action log storage unit 212 includes a transmission log indicating an e-mail transmission history and a reception log indicating an e-mail reception history. The action log includes a web log indicating the access history of the website.

  The mailer 221 is application software that performs e-mail processing such as transmission of e-mails, reception of e-mails, and storage and display of received e-mails in accordance with user operations. The mailer 221 transmits an e-mail to a mail server inside or outside the organization. Further, the mailer 221 accesses a mail server inside or outside the organization, and receives an e-mail addressed to the user stored in the mail server.

  The web browser 222 is application software that displays web pages in response to user operations. The Web browser 222 transmits a request designating a Web site address such as ULR to a Web server outside the organization, and receives data such as an HTML (HyperText Markup Language) document from the Web server. The web browser 222 draws and displays a web page based on the received data.

  When the mail checker 223 receives the e-mail, the mail checker 223 determines whether the received e-mail is an illegal e-mail intended for a targeted mail attack based on the policy data stored in the policy storage unit 211. judge. If it is determined that the email is an unauthorized email, the email checker 223 restricts browsing of the email by a method specified by the policy data. For example, the mail checker 223 displays a warning message that there is a possibility that the received electronic mail is an illegal electronic mail. In addition, for example, the mail checker 223 isolates the e-mail to a junk e-mail reception folder instead of a normal reception folder, and prohibits browsing of the e-mail. For example, the mail checker 223 prohibits the opening of the attached file of the electronic mail.

  Further, when the user determines that a certain electronic mail is a target mail attack, the mail checker 223 may receive a notification instruction from the user. The e-mail to be reported may be an e-mail that the e-mail checker 223 has determined that there is a possibility of a targeted e-mail attack, or an e-mail that has not been determined as such. The mail checker 223 provides the designated electronic mail to the shared information providing unit 225. Here, the mail checker 223 calculates a checker accuracy indicating the degree of conformity of the rule when collating the e-mail with the rule included in the policy data. The mail checker 223 provides checker accuracy to the shared information providing unit 225 together with the e-mail to be reported.

  Further, the mail checker 223 monitors the transmission of the email by the mailer 221 and stores a transmission log indicating the transmission history of the email in the action log storage unit 212. Further, the mail checker 223 monitors the reception of the electronic mail by the mailer 221 and stores a reception log indicating the reception history of the electronic mail in the action log storage unit 212.

  When the web browser 222 tries to access a website outside the organization, the web access checker 224 determines whether the access destination is an unauthorized website based on the policy data stored in the policy storage unit 211. When it is determined that the website is an unauthorized website, the web access checker 224 restricts access to the website by a method specified by the policy data. For example, the Web access checker 224 displays a warning message that the accessed Web site is invalid. For example, the web access checker 224 prohibits access to the web site by discarding the request generated by the web browser 222. Further, the web access checker 224 monitors the access to the website by the web browser 222 and stores a web log indicating the access history of the website in the action log storage unit 212.

  The shared information providing unit 225 transmits, to the management server 100, information that is preferably shared within the organization among the information that the user terminal 200 has. The shared information providing unit 225 provides the management server 100 with the email acquired from the email checker 223, that is, the email instructed to be reported by the user as a target email attack as a sample email. At this time, the shared information providing unit 225 notifies the checker accuracy together with the sample mail. In addition, the shared information providing unit 225 provides the management server 100 with the action log accumulated in the action log storage unit 212. The accumulated action log may be periodically transmitted to the management server 100 or may be transmitted to the management server 100 together with the sample mail.

  The management server 100 includes an action log storage unit 111, a report history storage unit 112, a setting information storage unit 113, a shared information collection unit 121, a suspicious mail extraction unit 122, a policy generation unit 123, and a policy distribution unit 124. The action log storage unit 111, the report history storage unit 112, and the setting information storage unit 113 are mounted using, for example, a storage area secured in the RAM 102 or the HDD 103. The shared information collection unit 121, the suspicious mail extraction unit 122, the policy generation unit 123, and the policy distribution unit 124 are implemented using a program, for example.

  The action log storage unit 111 stores action logs collected from the user terminals 200, 200a, and 200b. The action log stored by the action log storage unit 111 includes a transmission log indicating an e-mail transmission history and a reception log indicating an e-mail reception history. The action log includes a web log indicating the access history of the website.

  The report history storage unit 112 stores a history in which the user of the user terminal 200, 200a, 200b has reported a target mail attack in the past. The report history stored in the report history storage unit 112 includes the number of sample mails provided by the user for each user. In addition, the report history includes the number of suspicious emails that are highly likely to be actually targeted email attacks and used for policy data generation among sample emails provided by the user for each user. Extracting the suspicious mail from the provided sample mail is performed by the suspicious mail extracting unit 122.

  The setting information storage unit 113 stores setting information referred to when generating policy data from a suspicious mail. For setting information, a method for restricting browsing of received e-mail, a method for restricting access to a website, a policy data validity period, a condition for starting the delivery of policy data, and a method for selecting a delivery destination of policy data The information that shows the procedure to decide is included. The setting information includes a method for calculating an index value used for determining the above, and information indicating a parameter used for calculating the index value. For example, the setting information is created by an administrator and stored in the setting information storage unit 113 in advance.

  The shared information collection unit 121 receives an action log from the user terminals 200, 200 a, and 200 b and stores the received action log in the action log storage unit 111. Further, the shared information collection unit 121 receives a sample mail from the user terminals 200, 200a, and 200b.

  The suspicious mail extracting unit 122 extracts a suspicious mail used for generating policy data from the sample mail collected by the shared information collecting unit 121. At this time, the suspicious mail extracting unit 122 extracts the same or similar suspicious mails as a suspicious mail group. The suspicious mail is selected from the sample mail by the administrator, for example. The administrator checks each collected sample email to determine whether there is a high possibility of a targeted email attack. Further, the administrator determines a group of sample mails based on the similarity between sample mails that are determined to be highly likely to be a targeted mail attack. The suspicious mail extracting unit 122 extracts a suspicious mail group in accordance with an instruction from the administrator terminal 200c operated by the administrator.

  Further, the suspicious mail extracting unit 122 stores the report history about the sample mail collected by the shared information collecting unit 121 in the report history storage unit 112. The suspicious mail extracting unit 122 adds one report mail number of the user who provided the sample mail for each sample mail. In addition, the suspicious mail extracting unit 122 adds one suspicious mail number of the user who provided the sample mail for each sample mail extracted as the suspicious mail.

  The policy generation unit 123 refers to the setting information stored in the setting information storage unit 113, generates policy data from the suspicious mail extracted by the suspicious mail extraction unit 122, and determines a delivery destination of the generated policy data. . At this time, the policy generation unit 123 may extract a domain outside the organization described in the suspicious mail as a restriction target domain and generate policy data indicating that communication with the restriction target domain is restricted.

  In that case, the policy generation unit 123 has a degree of influence indicating the influence on business by restricting communication for the restriction target domain, and a degree of accuracy indicating reliability that the restriction target domain is a domain related to the targeted mail attack. Is calculated. The policy generation unit 123 calculates the degree of influence based on the action log stored in the action log storage unit 111. The policy generation unit 123 calculates the accuracy based on the checker accuracy provided together with the sample mail extracted as the suspicious mail and the report history stored in the report history storage unit 112. The policy generation unit 123 automatically adjusts the length of the effective period of the policy data and the distribution destination of the policy data based on the calculated combination of the influence degree and the accuracy.

  The policy distribution unit 124 transmits the policy data generated by the policy generation unit 123 to the distribution destination user terminal determined by the policy generation unit 123. The policy data distribution destination may be all user terminals used in the organization, may be limited to user terminals used in a specific department, or used by a specific user. It may be limited to the user terminal. When the user terminal 200 is included in the distribution destination, the policy data is transmitted to the user terminal 200 and stored in the policy storage unit 211.

FIG. 5 is a diagram illustrating an example of a log table.
The action log storage unit 111 stores a web log table 114. The web log table 114 shows a history of access from the user terminals 200, 200a, 200b to websites outside the organization. The web log table 114 includes items of time, destination domain, browsing time, number of browsing pages, and post-access action.

  Registered in the time field is the time when access to the Web site is started, that is, the time when the first request specifying a certain destination domain is transmitted. In the destination domain item, a domain included in the Web site address of the Web site to be accessed is registered. The destination domain may be a domain name included in the URL or an IP (Internet Protocol) address of a Web server corresponding to the Web site.

  In the browsing time item, the time (seconds) during which the Web browser 222 was displaying the Web page of the Web site is registered. When a plurality of Web pages belonging to the same destination domain are continuously displayed, the display times of the plurality of Web pages are totaled. In the item of the number of browsing pages, the number of Web pages of the Web site displayed continuously by the Web browser 222 is registered. As long as the destination domain is the same, the number of browse pages increases by one each time the displayed Web page is switched.

  In the post-access action item, the type of action performed by the user after the Web browser 222 transmits the first request is registered. Types of post-access actions include “cancel”, “reference”, “link”, and “download”. Cancel indicates that the display of the Web page is canceled immediately after the first request is transmitted (within a predetermined number of seconds). The cancellation occurs when the Web site to be accessed is immediately changed or when the Web browser 222 is immediately closed. The reference indicates that only one Web page is displayed longer than the predetermined number of seconds for the destination domain. The link indicates that a plurality of Web pages belonging to the destination domain are displayed by following the hyperlink. Download indicates that a file other than the display data has been downloaded.

  In addition, the action log storage unit 111 stores a transmission log table 115. The transmission log table 115 shows a history of transmission of electronic mail from the user terminals 200, 200a, 200b to the outside of the organization. The transmission log table 115 has items of time and destination domain. In the time item, the time when the electronic mail is transmitted is registered. The domain included in the destination mail address is registered in the destination domain item.

  The action log storage unit 111 stores a reception log table 116. The reception log table 116 shows a history of receiving emails from outside the organization by the user terminals 200, 200a, 200b. The reception log table 116 has items of time, transmission source domain, and text. In the time item, the time at which the e-mail is received is registered. The domain included in the source address is registered in the item of the source domain. The transmission source address may be a transmission source mail address or an address of a mail server used for transmission. The mail server IP address may be used as the mail server domain. The text described in the body of the e-mail is registered in the text item. The e-mail header and attached file may be excluded from the body of the e-mail.

  Note that the web log table 114 only needs to hold an access history for the most recent predetermined period (for example, the most recent month), and older access histories may be deleted from the web log table 114. Similarly, the transmission log table 115 may hold a transmission history for the most recent predetermined period, and an older transmission history may be deleted from the transmission log table 115. The reception log table 116 only needs to hold the reception history for the most recent predetermined period, and the reception history older than that may be deleted from the reception log table 116.

FIG. 6 is a diagram illustrating an example of a report history table.
The report history storage unit 112 has a report history table 117. The report history table 117 indicates a sample mail provision status for each user. The report history table 117 has items of user ID, number of report mails, and number of suspicious mails.

  An identifier assigned to a user belonging to an organization is registered in the user ID item. In the item of the number of notification emails, the number of sample emails provided to a management server 100 by a certain user is registered. The number of suspicious mails that are determined to be highly suspicious mails with a high possibility of targeted mail attack among sample mails provided by a certain user is registered in the item of number of suspicious mails. The ratio obtained by dividing the number of suspicious emails by the number of notification emails represents the rate at which user notifications were correct.

Here, an example of a method for calculating the influence degree and the accuracy will be described.
The influence degree can be calculated as follows, for example. Influence = α1 × Web access value + α2 × transmitted mail value + α3 × received mail value + α4 × content value. Here, α1, α2, α3, and α4 are parameters representing weights.

  The Web access value is calculated from the access history for the most recent predetermined period (for example, one month) with the restricted domain as the access destination. First, the number of access times × average browsing time × average number of browsing pages is calculated. The access count is the number of records that include the restriction target domain in the destination domain among the records recorded in the Web log table 114. The average browsing time is an average of browsing times included in the corresponding record. The average number of browsing pages is the average number of browsing pages included in the corresponding record. When this value is larger than the web access threshold Th1, the web access value = 1 is calculated, and when this value is equal to or smaller than the web access threshold Th1, the web access value = 0 is calculated.

  However, if there is a record that includes the restriction target domain in the destination domain and the post-access action is “download”, “link”, or “reference”, a predetermined value is added to the Web access value. When there is a record whose post-access action is “download”, β1 is added to the Web access value. If there is a record whose post-access action is “link”, β2 is added to the Web access value. If there is a record whose post-access action is “reference”, β3 is added to the Web access value. Normally, “download” has higher business importance than “link”, and therefore β1 is β2 or more. In addition, since “link” has higher business importance than “reference”, β2 is β3 or more.

  The transmission mail value is calculated from the transmission history of the electronic mail in the latest predetermined period (for example, one month) including the restriction target domain in the destination address. First, the number of e-mail transmissions including the restriction target domain in the destination domain is calculated. When the number of transmissions is larger than the transmission mail threshold Th2, the transmission mail value = 1 is calculated. When the number of transmissions is equal to or less than the transmission mail threshold Th2, the transmission mail value = 0 is calculated.

  The received mail value is calculated from the reception history of e-mails in the latest predetermined period (for example, one month) including the restriction target domain in the transmission source address. First, the number of times of receiving an e-mail including the restriction target domain in the transmission source domain is calculated. When the number of receptions is greater than the received mail threshold Th3, the received mail value = 1 is calculated, and when the number of receptions is equal to or less than the received mail threshold Th3, the received mail value = 0 is calculated.

  The content value is calculated from an e-mail reception history for the most recent predetermined period (for example, one month). First, the text of the body (which may include a title) is extracted from the suspicious mail, and the similarity is calculated between each text recorded in the reception log table 116. As a method for calculating the similarity between texts, an n-gram distance, a Levenshtein distance (edit distance), or the like can be used. A received mail whose similarity is higher than a predetermined threshold (distance is smaller than the threshold) is specified, and the number of corresponding received mails is calculated. When the number of received mails is larger than the content threshold Th4, the content value = 1 is calculated. When the number of received mails is equal to or smaller than the content threshold Th4, the content value = 0 is calculated.

The accuracy can be calculated as follows, for example. Accuracy = α5 × checker accuracy + α6 × report reliability. Here, α5 and α6 are parameters representing weights.
The checker accuracy is a value calculated by the user terminals 200, 200a, and 200b when determining whether or not the received e-mail is an e-mail of a targeted e-mail attack, and indicates the degree of conformity with the rule included in the policy data. Represent. When two or more suspicious mails that are the same or similar exist, an average of checker accuracy for the two or more suspicious mails is calculated.

  Here, the rules included in the policy data define various characteristics of the electronic mail intended for the targeted mail attack. Examples of features defined in the rules include the IP address of the sender mail server, the domain of the sender mail server, the sending time, the time zone of the sending time, the day of the sending date, the sending mailer, the character string included in the title, and the destination A combination of email addresses. The checker accuracy is, for example, the ratio of the characteristics of the received email among the plurality of characteristics defined in the rule. In this case, assuming that eight features are listed in the rule and the received e-mail has five features, the checker accuracy is calculated to be 62.5%. An e-mail whose checker accuracy is larger than the threshold is subjected to filtering such as warning display or unopening. However, in calculating the checker accuracy, a plurality of features may be weighted.

  The report reliability is calculated based on the report history stored in the report history table 117. First, the user ID of the user who provided the suspicious mail is specified, and the number of report mails and the number of suspicious mails corresponding to the user ID are searched from the report history table 117. Then, the ratio of the number of suspicious emails to the number of notification emails becomes the notification reliability (report reliability = number of suspicious emails / number of notification emails). When two or more suspicious emails that are the same or similar exist, the report reliability of two or more users corresponding to the two or more suspicious emails is added up.

  It should be noted that by setting a part of α1, α2, α3, and α4 to 0, it is possible not to use a part of the Web access value, the transmitted mail value, the received mail value, and the content value for calculating the influence degree. it can. For example, if α4 = 0, it is possible not to consider the text similarity in calculating the influence. In addition, by setting either one of α5 and α6 to 0, it is possible to prevent either one of the checker accuracy and the notification reliability from being used for accuracy calculation. For example, if α5 = 0, the accuracy can be calculated only from the notification reliability, and if α6 = 0, the accuracy can be calculated only from the checker accuracy.

FIG. 7 is a diagram illustrating an example of a parameter table.
The setting information storage unit 113 stores a parameter table 118. The parameter table 118 stores parameters used for calculating the influence and parameters used for calculating the accuracy. The parameters used for calculating the degree of influence include a Web access threshold Th1, a transmission mail threshold Th2, a reception mail threshold Th3, and a content threshold Th4. Further, the parameters used for calculating the influence degree include a download addition value β1, a link addition value β2, and a reference addition value β3. Further, the parameters used for calculating the influence degree include a web access weight α1, a transmission mail weight α2, a reception mail weight α3, and a content weight α4. Parameters used for accuracy calculation include checker accuracy weight α5 and report reliability weight α6.

FIG. 8 is a diagram illustrating an example of a policy determination table.
The setting information storage unit 113 stores a policy determination table 119. The policy determination table 119 associates the degree of influence and accuracy with the setting of policy data. The policy determination table 119 includes items of influence, accuracy, distribution conditions, processing, period, and distribution destination.

  A flag indicating whether the influence degree is large or small is registered in the influence degree item. The degree of influence calculated by the above method is compared with a predetermined threshold, and when the degree of influence is greater than the threshold, the degree of influence is determined to be “high”, and when the degree of influence is less than or equal to the threshold, the degree of influence is “small”. It is determined. In the accuracy item, a flag indicating whether the accuracy is high or low is registered. The accuracy calculated by the method as described above is compared with a predetermined threshold, and when the accuracy is greater than the threshold, the accuracy is determined as “high”, and when the accuracy is equal to or less than the threshold, the accuracy is determined as “low”.

  In the item of distribution condition, a condition for distributing policy data to user terminals in the organization is registered. For example, the distribution condition is that the number of identical or similar specimen emails provided is a certain number or more. When the distribution condition is not satisfied (for example, when the number of sample mails is small), the policy data using the restriction target address extracted from the sample mail is not distributed.

  In the processing item, a communication processing method that conflicts with the policy data is registered. The processing method includes “warning” and “prohibition”. When the processing method is “warning”, for example, a warning message is displayed when an e-mail conflicting with policy data is received or when the e-mail is to be opened. Also, for example, a warning message is displayed when access to a website that violates policy data occurs. When the processing method is “prohibited”, for example, when an e-mail that violates policy data is received, the e-mail is forcibly quarantined in a junk mail folder and opening is prohibited. Also, for example, access to a website that violates policy data is forcibly blocked.

  In the period item, a period during which the policy data is valid is registered. Policy data older than the period from the distribution date is invalid, and filtering based on the policy data is not performed. In the distribution destination field, a destination range to which policy data is distributed is registered. Distribution destinations include, for example, all user terminals in the organization (overall), user terminals in specific departments within the organization (department only), and user terminals of users who have a strong business relationship with the user who provided the sample email (relationship) For example). The specific department is determined in advance by the administrator according to the necessity of communication with the outside of the organization. For example, the information system section is included in the distribution destination of the policy data, and the sales department having a lot of communication with the outside is excluded from the distribution destination. The related person of the user who provided the sample mail is, for example, a user who belongs to the same department as the user.

  As an example, when the degree of influence is large and the accuracy is high, the distribution condition is set to two or more sample mails, the processing method is set to warning, the effective period is set to two weeks, and the distribution destination is limited to the department. When the degree of influence is large and the accuracy is low, the delivery condition is one or more specimen mails, the processing method is warning, the validity period is one week, and the delivery destination is limited to the department. When the degree of influence is small and the accuracy is high, the delivery condition is set to three or more sample mails, the processing method is prohibited, the validity period is set to 6 months, and the delivery destination is the whole. When the degree of influence is small and the accuracy is low, the distribution condition is set to two or more sample mails, the processing method is prohibited, the validity period is set to one month, and the distribution destination is set to the related party.

  When the influence degree is large (exceeding the threshold value), the effective period is preferably shorter than when the influence degree is small (below the threshold value). Further, when the influence degree is large, it is preferable that the range of the delivery destination is narrower than when the influence degree is small. When the accuracy is high (exceeding the threshold value), the effective period is preferably longer than when the accuracy is low (below the threshold value). Further, when the accuracy is high, it is preferable that the range of the delivery destination is wider than when the accuracy is low.

FIG. 9 is a diagram illustrating an example of policy data.
The policy storage unit 211 stores policy data 213. The policy data 213 is generated by the management server 100 and distributed to the user terminal 200. The policy data 213 includes a delivery time, an expiration date, a rule, and a processing method. The distribution time is the time when the policy data 213 is distributed. The expiration date is a time indicating the end of the effective period of the policy data 213. The rule is a black list indicating the characteristics of e-mail to be filtered or the characteristics of Web access to be filtered. A rule may include a sender domain as a feature of electronic mail. In addition, the rule may include a destination domain as a characteristic of Web access. The processing method is an e-mail or Web access filtering method that conforms to the rules.

Next, an example of a processing procedure of the management server 100 will be described.
FIG. 10 is a flowchart illustrating an example of a policy generation procedure.
(S10) The suspicious mail extracting unit 122 selects a group of suspicious mails that are highly likely to be a targeted mail attack and have the same or similar contents from the sample mails collected from the user terminals 200, 200a, and 200b. Extract. For example, the suspicious mail extracting unit 122 selects a suspicious mail group in response to an instruction from the administrator terminal 200c. However, the suspicious mail extracting unit 122 may automatically determine the possibility of a target mail attack for each sample mail based on a predetermined determination rule. Further, the suspicious mail extracting unit 122 may automatically determine the identity of the content by comparing texts between the suspicious mails.

  (S11) The suspicious mail extracting unit 122 updates the report history table 117 stored in the report history storage unit 112. That is, the suspicious mail extracting unit 122 adds one report mail number corresponding to the user who provided the sample mail for each sample mail. Further, the suspicious mail extracting unit 122 adds one suspicious mail number corresponding to the user who provided the suspicious mail for each suspicious mail extracted from the sample mail.

  (S12) The policy generation unit 123 extracts a domain outside the organization that is commonly included in the suspicious mail group as a restriction target domain from the suspicious mail group extracted in step S10. The restriction target domain is included in, for example, the transmission source mail address or the transmission source mail server address described in the header part of the suspicious mail. The restriction target domain is included in, for example, a URL described in the text (body part) of a suspicious email.

  (S13) The policy generation unit 123 searches the action log storage unit 111 for an action log within the latest predetermined period related to the restriction target domain extracted in step S12. The policy generation unit 123 searches the web log table 114 for web logs having the restriction target domain as the destination domain. Further, the policy generation unit 123 searches the transmission log table 115 for a transmission log having the restriction target domain as the destination domain. Further, the policy generation unit 123 searches the reception log table 116 for a reception log having the restriction target domain as a transmission source domain. Further, the policy generation unit 123 extracts the text of the body from the suspicious mail, and searches the reception log table 116 for reception logs with similar text.

  (S14) The policy generation unit 123 calculates the degree of influence using the action log searched in step S13. The policy generation unit 123 calculates a web access value from the number of retrieved web logs (number of records), the average browsing time, and the average number of browsing pages. At this time, the policy generation unit 123 adds the download addition value, the link addition value, or the reference addition value to the Web access value according to the post-access action. Further, the policy generation unit 123 calculates a transmission mail value from the number of transmission logs searched (number of records). Further, the policy generation unit 123 calculates the received mail value and the content value from the number of received reception logs (number of records). The policy generation unit 123 calculates the degree of influence based on the weighted sum of the Web access value, the transmission mail value, the reception mail value, and the content value.

  (S15) The policy generation unit 123 searches the report history table 117 stored in the report history storage unit 112 for a report history corresponding to the user who provided the sample mail. The report history includes the number of report emails and the number of suspicious emails. When two or more suspicious emails are extracted in step S10, the policy generation unit 123 searches the report history of each of the two or more users.

  (S16) The policy generation unit 123 calculates a report reliability based on the report history searched in step S15. Report reliability is the ratio of the number of suspicious emails to the number of emails reported. When two or more suspicious emails are extracted in step S10, the report reliability of two or more users is totaled. Further, the policy generating unit 123 acquires the checker accuracy provided together with the suspicious mail. If two or more suspicious emails are extracted in step S10, an average of checker accuracy for the two or more suspicious emails is calculated. Then, the policy generation unit 123 calculates the accuracy by the weighted sum of the checker accuracy and the notification reliability.

  (S17) The policy generation unit 123 refers to the policy determination table 119 stored in the setting information storage unit 113, and determines the distribution condition, processing method, and effective period from the set of influence and accuracy calculated in steps S14 and S16. And determine the delivery destination.

  (S18) The policy generating unit 123 determines whether the number of suspicious emails extracted in step S10 satisfies the distribution condition determined in step S17. If the distribution condition is satisfied, the process proceeds to step S19. If the distribution condition is not satisfied, the process ends.

  (S19) The policy generation unit 123 generates a rule indicating characteristics common to the suspicious mail group based on the suspicious mail group extracted in step S10. The rule may include the restriction target domain extracted in step S12. Then, the policy generation unit 123 generates policy data including the generated rule, the processing method determined in step S17, and the expiration date according to the effective period determined in step S17.

(S20) The policy distribution unit 124 distributes the policy data generated in step S19 to the distribution destination determined in step S17.
In the above description, the management server 100 calculates the influence degree and the accuracy. However, the user terminals 200, 200a, and 200b may calculate at least one of the influence degree and the accuracy when the sample mail is provided. For example, when the user terminal 200 provides a sample mail, it is conceivable that the influence degree is calculated based on an action log stored in the user terminal 200. Further, the behavior log may be classified into a plurality of time zones, and the influence degree for each time zone may be calculated. In that case, a processing method and an effective period can be changed according to a time zone. Further, the action log may be classified into a plurality of departments, and the degree of influence for each department may be calculated. In that case, the processing method and the effective period can be changed depending on the department.

  According to the information processing system of the second embodiment, when the communication partner domain described in the sample mail is a restriction target domain, the influence degree is calculated from the communication history related to the restriction target domain. Further, the accuracy is calculated from the checker accuracy calculated by the mail checker and the user's report history. Then, the effective period of policy data and the distribution destination range are adjusted according to the set of influence and accuracy. For example, the effective period and the distribution destination range are limited as the influence degree is large, and the effective period and the distribution destination range are expanded as the influence degree is small. For example, the validity period and the distribution destination range are expanded as the accuracy is high, and the validity period and the distribution destination range are limited as the accuracy is low.

  Thereby, the excessive defense by adding policy data can be suppressed, and the influence that a legitimate business is inhibited can be reduced. For example, even if a user erroneously provides a valid e-mail as a sample e-mail, the influence on work can be limited. Further, even when an address similar to the address used by the attacker is used in a legitimate business, the influence on the business can be limited. In addition, if the sample email is an email for the purpose of targeted email attack, it is highly likely that the same or similar sample email will continue to be provided. It is expected that security can be secured.

DESCRIPTION OF SYMBOLS 10 Policy setting apparatus 11 Memory | storage part 12 Processing part 13 Sample e-mail 13a Communication partner address 14 Communication history 15 Security policy 15a Rule 15b Effective period 15c Applicable apparatus

Claims (5)

A storage unit that stores one or more sample e-mails of e-mails addressed to the user and a communication history indicating communication of the user or other users performed in the past;
Extracting a communication partner address to be subject to communication restriction from the sample e-mail, calculating a frequency index value indicating a frequency of communication using the communication partner address with reference to the communication history, and Including a rule that restricts communication using an address, and a processing unit that generates a security policy that is set such that the effective period is shortened or the target device is reduced as the frequency indicated by the frequency index value increases,
Policy setting device. In the calculation of the frequency index value, the processing unit transmits an email transmission frequency including the communication partner address as a destination address, an email reception frequency including the communication partner address as a transmission source address, and the communication partner address. Calculating the frequency index value based on at least one of website access frequencies including
The policy setting device according to claim 1. The storage unit further stores a sample history indicating the number of sample emails and the number of sample emails addressed to the user used to generate a security policy,
The processing unit further calculates a reliability index value indicating the reliability of the provided sample email with reference to the sample history,
In the generation of the security policy, the processing unit is configured such that the higher the reliability indicated by the reliability index value is, the longer the effective period is, or the higher the reliability indicated by the reliability index value is, the more devices are applied. Set the security policy to
The policy setting device according to claim 1. A policy setting method executed by a computer,
From among one or more sample e-mails among e-mails addressed to the user, a communication partner address for which communication is restricted is extracted,
With reference to a communication history indicating communication of the user or other users performed in the past, a frequency index value indicating the frequency of communication using the communication partner address is calculated,
Including a rule for restricting communication using the communication partner address, and generating a security policy that is set so that the effective period is shortened as the frequency indicated by the frequency index value is large, or the target device is reduced.
Policy setting method. On the computer,
From among one or more sample e-mails among e-mails addressed to the user, a communication partner address for which communication is restricted is extracted,
With reference to a communication history indicating communication of the user or other users performed in the past, a frequency index value indicating the frequency of communication using the communication partner address is calculated,
Including a rule for restricting communication using the communication partner address, and generating a security policy that is set so that the effective period is shortened as the frequency indicated by the frequency index value is large, or the target device is reduced.
Policy setting program that executes processing.

Images